Step 5: Adding the Setting that Prevents Local Administrators from Applying Conflicting Rules

In this step, you configure and test a setting that prevents firewall rules created by local administrators from being applied to the computer and possibly conflicting with the GPO-deployed rules.

By default members of the local Administrators group on the computer can use Windows Firewall with Advanced Security to create and enable firewall and connection security rules. These local rules are then merged with the rules received from Group Policy and applied to the computer's active configuration. The setting described in this section prevents the locally defined rules from merging with the rules that are contained in the deployed GPOs.

Important

Although this setting prevents a local administrator from applying a rule, it also prevents Windows Firewall with Advanced Security from prompting the user about a new program and creating an inbound rule when the user approves. If you enable this setting then you must make sure that every program that requires firewall rules has the correct rules defined in your GPOs.

The ping command works, which indicates that CLIENT1 can communicate with DC1.

Start the Windows Firewall with Advanced Security snap-in.

Under Windows Firewall with Advanced Security, right-click Outbound Rules, and then click New Rule.

On the Rule Type page of the New Outbound Rule Wizard, click Custom, and then click Next.

On the Program page, select All programs, and then click Next.

On the Protocol and Ports page, use the default settings, and then click Next.

On the Scope page, use the default settings, and then click Next.

On the Action page, use the default settings, and then click Next.

On the Profile page, clear the check boxes for Private and Public, but leave Domain selected, and then click Next.

On the Name page, enter the name A Test Rule (use an 'A' as the first character to ensure the rule appears at the top of the list), and then click Finish.

This creates a firewall rule that blocks all network traffic, effectively breaking communications for the computer.

Return to the Command Prompt window, and run ping dc1 again.

The ping command fails, as shown in the lower half of the following figure, because the local firewall rule blocks outgoing communications.

In the Windows Firewall with Advanced Security snap-in, click Outbound Rules in the navigation pane, right-click A Test Rule, and then click Disable Rule. You must disable the rule to re-enable communication for the next steps.

In the next procedure, you modify the GPO assigned to the client computer to prevent locally defined rules from being merged and applied to the active firewall configuration. Also, you disable the notification that asks the user whether to allow a program for which there are no rules.

On CLIENT1, in Administrator: Command Prompt, run gpupdate /force. Wait until the command finishes.

In the Windows Firewall with Advanced Security snap-in, in the list of Outbound Rules, right-click A Test Rule, and then click Enable Rule.

In Administrator: Command Prompt, run ping dc1.

The ping command works even though A Test Rule appears to be enabled. The rule is listed as enabled on the local computer, but when you set the Apply local firewall rules to No on the GPO in the previous procedure, you blocked the merging of local rules with the rules delivered in the GPO.

In the navigation pane of the Windows Firewall with Advanced Security snap-in, expand Monitoring, and then click Firewall to see the list of rules active on the local computer.

No rules are listed. You have not yet created any rules applied by GPO, and no local rules are active because of the settings that you included in the GPO.

Before proceeding, delete your rule. On CLIENT1, in the navigation pane, click Outbound Rules. In the results pane, right-click A Test Rule, click Delete, and then click Yes on the confirmation dialog box.